start tcpdump log on high traffic

Posted . Visible to the public.

Logging tcpdump output all the time can create a huge amount of data. This can be both: too much data size on HDD and tiring to analyze. You can run a script in a screen which checks out the packages transfered per second and start a tcpdump when the packages exceed a fixed number.

#!/usr/bin/env bash

interface=eth0
dumpdir=/tmp/
packet_threshold=5000
log_packets=100000

while /bin/true; do
  pkt_old=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`
  sleep 1
  pkt_new=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`

  pkt=$(( $pkt_new - $pkt_old ))
  echo -ne "\r$pkt packets/s\033[0K"

  if [ $pkt -gt $packet_threshold ]; then
    echo -e "\n`date` high traffic, starting a tcpdump"
    tcpdump -n -s0 -c $log_packets -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
    echo "`date` Packets dumped, sleeping now."
    sleep 300
  fi
done
Claus-Theodor Riegg
Last edit
Claus-Theodor Riegg
License
Source code in this card is licensed under the MIT License.
Posted by Claus-Theodor Riegg to makandra dev (2015-11-25 10:13)